apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    insecureSkipVerify = true
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          certFile = "/ssl/tls.crt"
          keyFile = "/ssl/tls.key"

---

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress-lb
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
  annotations:
    ingress.kubernetes.io/proxy-body-size: "5120M"
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
      name: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-tls-cert
      - name: config
        configMap:
          name: traefik-conf
      hostNetwork: true
      restartPolicy: Always
      serviceAccountName: ingress
      containers:
      - image: {{registry_prefix}}:{{registry_port}}/{{traefik_image}}:{{traefik_version}}
        imagePullPolicy: IfNotPresent
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: /ssl
          name: ssl
        - mountPath: /config
          name: config
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
        - name: admin
          containerPort: 8580
          hostPort: 8580
        args:
        - --configFile=/config/traefik.toml
        - --web
        - --web.address=:8580
        - --kubernetes

---

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8580
  - protocol: TCP
    port: 443
    name: https
  type: NodePort

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: f2c-traefik-ingress
  namespace: kube-system
spec:
  rules:
  - host: traefik.{{ APP_DOMAIN }}
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: 80